npm - @luanpdd/kit-mcp - Versions diffs - 1.33.0 → 1.34.0 - Mend

@luanpdd/kit-mcp 1.33.0 → 1.34.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (376) hide show

package/LICENSE +21 -21
package/README.md +168 -168
package/gates/agent-no-recursive-dispatch.md +84 -84
package/kit/COMANDOS.md +138 -138
package/kit/COMPATIBILITY.md +70 -70
package/kit/README.md +76 -76
package/kit/agents/advisor-researcher.md +109 -109
package/kit/agents/ai-mutation-tester.md +289 -289
package/kit/agents/assumptions-analyzer.md +110 -110
package/kit/agents/audit-log-implementer.md +314 -314
package/kit/agents/auditor-consistencia-isolamento.md +414 -414
package/kit/agents/b2b-saas-architect.md +157 -157
package/kit/agents/burn-rate-forecaster.md +153 -153
package/kit/agents/cascading-failures-auditor.md +299 -299
package/kit/agents/codebase-mapper.md +769 -769
package/kit/agents/crm-pipeline-implementer.md +257 -257
package/kit/agents/debugger.md +814 -814
package/kit/agents/designer-ui.md +216 -216
package/kit/agents/detector-tenant-quente.md +338 -338
package/kit/agents/evolution-go-integrator.md +201 -201
package/kit/agents/example-reviewer.md +22 -22
package/kit/agents/executor.md +565 -565
package/kit/agents/golden-signals-instrumenter.md +232 -232
package/kit/agents/incident-investigator.md +238 -238
package/kit/agents/integration-checker.md +203 -203
package/kit/agents/invite-flow-implementer.md +190 -190
package/kit/agents/legacy-characterizer.md +369 -369
package/kit/agents/lgpd-compliance-auditor.md +296 -296
package/kit/agents/load-shedding-instrumenter.md +290 -290
package/kit/agents/multi-tenant-isolation-auditor.md +254 -254
package/kit/agents/multi-tenant-rls-writer.md +341 -341
package/kit/agents/nyquist-auditor.md +181 -181
package/kit/agents/observability-coverage-auditor.md +316 -316
package/kit/agents/observability-instrumenter.md +191 -191
package/kit/agents/omm-auditor.md +291 -291
package/kit/agents/org-onboarding-implementer.md +224 -224
package/kit/agents/payload-capture-instrumenter.md +274 -274
package/kit/agents/phase-researcher.md +697 -697
package/kit/agents/plan-checker.md +275 -275
package/kit/agents/planner.md +923 -923
package/kit/agents/postmortem-writer.md +273 -273
package/kit/agents/project-researcher.md +653 -653
package/kit/agents/prr-conductor.md +287 -287
package/kit/agents/refactor-safety-auditor.md +405 -405
package/kit/agents/release-pipeline-auditor.md +364 -364
package/kit/agents/research-synthesizer.md +246 -246
package/kit/agents/roadmapper.md +678 -678
package/kit/agents/schema-checker.md +160 -160
package/kit/agents/seam-finder.md +360 -360
package/kit/agents/shotgun-surgery-detector.md +350 -350
package/kit/agents/slo-engineer.md +217 -217
package/kit/agents/storytelling-analyst.md +300 -300
package/kit/agents/supabase-architect.md +249 -249
package/kit/agents/supabase-auth-bootstrapper.md +400 -400
package/kit/agents/supabase-auth-hook-writer.md +418 -418
package/kit/agents/supabase-branching-architect.md +563 -563
package/kit/agents/supabase-cicd-pipeline-implementer.md +778 -778
package/kit/agents/supabase-column-privileges-writer.md +400 -400
package/kit/agents/supabase-edge-fn-tester.md +288 -288
package/kit/agents/supabase-edge-fn-writer.md +341 -341
package/kit/agents/supabase-mfa-implementer.md +439 -439
package/kit/agents/supabase-migration-writer.md +386 -386
package/kit/agents/supabase-oauth-server-implementer.md +507 -507
package/kit/agents/supabase-rbac-implementer.md +393 -393
package/kit/agents/supabase-realtime-implementer.md +364 -364
package/kit/agents/supabase-rls-hardener.md +522 -522
package/kit/agents/supabase-rls-writer.md +324 -324
package/kit/agents/supabase-roles-implementer.md +356 -356
package/kit/agents/supabase-social-auth-implementer.md +451 -451
package/kit/agents/supabase-sso-saml-architect.md +549 -549
package/kit/agents/supabase-storage-implementer.md +407 -407
package/kit/agents/super-admin-implementer.md +282 -282
package/kit/agents/toil-auditor.md +268 -268
package/kit/agents/ui-auditor.md +438 -438
package/kit/agents/ui-checker.md +305 -305
package/kit/agents/ui-researcher.md +356 -356
package/kit/agents/user-profiler.md +176 -176
package/kit/agents/validador-evolucao-schema.md +336 -336
package/kit/agents/verifier.md +729 -729
package/kit/commands/adicionar-backlog.md +75 -75
package/kit/commands/adicionar-fase.md +42 -42
package/kit/commands/adicionar-tarefa.md +45 -45
package/kit/commands/adicionar-testes.md +41 -41
package/kit/commands/ajuda.md +21 -21
package/kit/commands/atualizar.md +37 -37
package/kit/commands/auditar-cascading.md +111 -111
package/kit/commands/auditar-marco.md +179 -179
package/kit/commands/auditar-observabilidade-cobertura-workflow.md +121 -0
package/kit/commands/auditar-observabilidade-cobertura.md +183 -183
package/kit/commands/auditar-refactor.md +219 -219
package/kit/commands/auditar-release.md +109 -109
package/kit/commands/auditar-uat.md +23 -23
package/kit/commands/autonomo.md +40 -40
package/kit/commands/branch-pr.md +24 -24
package/kit/commands/burn-rate-status.md +408 -408
package/kit/commands/capturar-payloads.md +193 -193
package/kit/commands/caracterizar.md +212 -212
package/kit/commands/concluir-marco.md +247 -247
package/kit/commands/configuracoes.md +36 -36
package/kit/commands/dados-distribuidos.md +188 -188
package/kit/commands/definir-perfil.md +10 -10
package/kit/commands/depurar.md +190 -190
package/kit/commands/detectar-duplicacao.md +197 -197
package/kit/commands/discutir-fase.md +131 -131
package/kit/commands/encontrar-seams.md +136 -136
package/kit/commands/entrar-discord.md +17 -17
package/kit/commands/estatisticas.md +18 -18
package/kit/commands/example-greeting.md +33 -33
package/kit/commands/executar-fase.md +58 -58
package/kit/commands/expresso.md +56 -56
package/kit/commands/fase-ui.md +34 -34
package/kit/commands/fazer.md +57 -57
package/kit/commands/fio.md +125 -125
package/kit/commands/fluxos-trabalho.md +64 -64
package/kit/commands/forense.md +176 -176
package/kit/commands/gerenciador.md +38 -38
package/kit/commands/inserir-fase.md +31 -31
package/kit/commands/legacy.md +263 -263
package/kit/commands/limpeza.md +17 -17
package/kit/commands/listar-hipoteses-fase.md +45 -45
package/kit/commands/listar-workspaces.md +18 -18
package/kit/commands/load-shedding.md +117 -117
package/kit/commands/mapear-codebase.md +70 -70
package/kit/commands/multi-tenant.md +163 -163
package/kit/commands/nota.md +33 -33
package/kit/commands/novo-marco.md +43 -43
package/kit/commands/novo-projeto.md +41 -41
package/kit/commands/novo-workspace.md +43 -43
package/kit/commands/pausar-trabalho.md +37 -37
package/kit/commands/perfil-usuario.md +45 -45
package/kit/commands/pesquisar-fase.md +195 -195
package/kit/commands/planejar-fase.md +67 -67
package/kit/commands/planejar-lacunas.md +33 -33
package/kit/commands/plantar-ideia.md +25 -25
package/kit/commands/progresso.md +24 -24
package/kit/commands/proximo.md +30 -30
package/kit/commands/publicar.md +490 -490
package/kit/commands/rapido.md +35 -35
package/kit/commands/reaplicar-patches.md +124 -124
package/kit/commands/refactor-seguro.md +321 -321
package/kit/commands/relatorio-sessao.md +19 -19
package/kit/commands/remover-fase.md +31 -31
package/kit/commands/remover-workspace.md +26 -26
package/kit/commands/resumo-marco.md +50 -50
package/kit/commands/retomar-trabalho.md +40 -40
package/kit/commands/revisar-backlog.md +60 -60
package/kit/commands/revisar-ui.md +32 -32
package/kit/commands/revisar.md +37 -37
package/kit/commands/saude.md +21 -21
package/kit/commands/setup-notion.md +93 -93
package/kit/commands/storytelling.md +179 -179
package/kit/commands/supabase.md +238 -238
package/kit/commands/sync-main.md +68 -68
package/kit/commands/validar-fase.md +35 -35
package/kit/commands/verificar-tarefas.md +44 -44
package/kit/commands/verificar-trabalho.md +64 -64
package/kit/file-manifest.json +13 -11
package/kit/framework/bin/lib/commands.cjs +959 -959
package/kit/framework/bin/lib/config.cjs +442 -442
package/kit/framework/bin/lib/core.cjs +1230 -1230
package/kit/framework/bin/lib/frontmatter.cjs +336 -336
package/kit/framework/bin/lib/init.cjs +1442 -1442
package/kit/framework/bin/lib/milestone.cjs +252 -252
package/kit/framework/bin/lib/model-profiles.cjs +68 -68
package/kit/framework/bin/lib/phase.cjs +888 -888
package/kit/framework/bin/lib/profile-output.cjs +952 -952
package/kit/framework/bin/lib/profile-pipeline.cjs +539 -539
package/kit/framework/bin/lib/roadmap.cjs +329 -329
package/kit/framework/bin/lib/security.cjs +382 -382
package/kit/framework/bin/lib/state.cjs +1031 -1031
package/kit/framework/bin/lib/template.cjs +222 -222
package/kit/framework/bin/lib/uat.cjs +282 -282
package/kit/framework/bin/lib/verify.cjs +888 -888
package/kit/framework/bin/lib/workstream.cjs +491 -491
package/kit/framework/bin/tools.cjs +918 -918
package/kit/framework/commands/workstreams.md +63 -63
package/kit/framework/references/checkpoints.md +778 -778
package/kit/framework/references/continuation-format.md +249 -249
package/kit/framework/references/decimal-phase-calculation.md +64 -64
package/kit/framework/references/git-integration.md +295 -295
package/kit/framework/references/git-planning-commit.md +38 -38
package/kit/framework/references/model-profile-resolution.md +36 -36
package/kit/framework/references/model-profiles.md +139 -139
package/kit/framework/references/phase-argument-parsing.md +61 -61
package/kit/framework/references/planning-config.md +202 -202
package/kit/framework/references/questioning.md +162 -162
package/kit/framework/references/tdd.md +263 -263
package/kit/framework/references/ui-brand.md +160 -160
package/kit/framework/references/user-profiling.md +657 -657
package/kit/framework/references/verification-patterns.md +612 -612
package/kit/framework/references/workstream-flag.md +58 -58
package/kit/framework/templates/DEBUG.md +164 -164
package/kit/framework/templates/UAT.md +265 -265
package/kit/framework/templates/UI-SPEC.md +100 -100
package/kit/framework/templates/VALIDATION.md +76 -76
package/kit/framework/templates/claude-md.md +122 -122
package/kit/framework/templates/codebase/architecture.md +185 -185
package/kit/framework/templates/codebase/concerns.md +205 -205
package/kit/framework/templates/codebase/conventions.md +204 -204
package/kit/framework/templates/codebase/integrations.md +192 -192
package/kit/framework/templates/codebase/stack.md +158 -158
package/kit/framework/templates/codebase/structure.md +199 -199
package/kit/framework/templates/codebase/testing.md +301 -301
package/kit/framework/templates/config.json +44 -44
package/kit/framework/templates/context.md +352 -352
package/kit/framework/templates/continue-here.md +78 -78
package/kit/framework/templates/copilot-instructions.md +7 -7
package/kit/framework/templates/debug-subagent-prompt.md +91 -91
package/kit/framework/templates/dev-preferences.md +20 -20
package/kit/framework/templates/discovery.md +146 -146
package/kit/framework/templates/discussion-log.md +63 -63
package/kit/framework/templates/milestone-archive.md +123 -123
package/kit/framework/templates/milestone.md +115 -115
package/kit/framework/templates/phase-prompt.md +610 -610
package/kit/framework/templates/planner-subagent-prompt.md +117 -117
package/kit/framework/templates/project.md +186 -186
package/kit/framework/templates/requirements.md +231 -231
package/kit/framework/templates/research-project/ARCHITECTURE.md +204 -204
package/kit/framework/templates/research-project/FEATURES.md +147 -147
package/kit/framework/templates/research-project/PITFALLS.md +200 -200
package/kit/framework/templates/research-project/STACK.md +120 -120
package/kit/framework/templates/research-project/SUMMARY.md +170 -170
package/kit/framework/templates/research.md +419 -419
package/kit/framework/templates/retrospective.md +54 -54
package/kit/framework/templates/roadmap.md +202 -202
package/kit/framework/templates/state.md +176 -176
package/kit/framework/templates/summary-complex.md +59 -59
package/kit/framework/templates/summary-minimal.md +41 -41
package/kit/framework/templates/summary-standard.md +48 -48
package/kit/framework/templates/summary.md +209 -209
package/kit/framework/templates/user-profile.md +146 -146
package/kit/framework/templates/user-setup.md +256 -256
package/kit/framework/templates/verification-report.md +258 -258
package/kit/framework/workflows/add-phase.md +112 -112
package/kit/framework/workflows/add-tests.md +351 -351
package/kit/framework/workflows/add-todo.md +158 -158
package/kit/framework/workflows/audit-milestone.md +340 -340
package/kit/framework/workflows/audit-uat.md +109 -109
package/kit/framework/workflows/autonomous.md +891 -891
package/kit/framework/workflows/check-todos.md +177 -177
package/kit/framework/workflows/cleanup.md +152 -152
package/kit/framework/workflows/complete-milestone.md +696 -696
package/kit/framework/workflows/diagnose-issues.md +231 -231
package/kit/framework/workflows/discovery-phase.md +289 -289
package/kit/framework/workflows/discuss-phase-assumptions.md +653 -653
package/kit/framework/workflows/discuss-phase.md +784 -784
package/kit/framework/workflows/do.md +104 -104
package/kit/framework/workflows/execute-phase.md +838 -838
package/kit/framework/workflows/execute-plan.md +510 -510
package/kit/framework/workflows/fast.md +102 -102
package/kit/framework/workflows/forensics.md +265 -265
package/kit/framework/workflows/health.md +181 -181
package/kit/framework/workflows/help.md +619 -619
package/kit/framework/workflows/insert-phase.md +130 -130
package/kit/framework/workflows/list-phase-assumptions.md +178 -178
package/kit/framework/workflows/list-workspaces.md +56 -56
package/kit/framework/workflows/manager.md +362 -362
package/kit/framework/workflows/map-codebase.md +377 -377
package/kit/framework/workflows/milestone-summary.md +223 -223
package/kit/framework/workflows/new-milestone.md +486 -486
package/kit/framework/workflows/new-project.md +1159 -1159
package/kit/framework/workflows/new-workspace.md +237 -237
package/kit/framework/workflows/next.md +97 -97
package/kit/framework/workflows/node-repair.md +92 -92
package/kit/framework/workflows/note.md +156 -156
package/kit/framework/workflows/pause-work.md +176 -176
package/kit/framework/workflows/plan-milestone-gaps.md +273 -273
package/kit/framework/workflows/plan-phase.md +765 -765
package/kit/framework/workflows/plant-seed.md +169 -169
package/kit/framework/workflows/pr-branch.md +129 -129
package/kit/framework/workflows/profile-user.md +450 -450
package/kit/framework/workflows/progress.md +507 -507
package/kit/framework/workflows/quick.md +757 -757
package/kit/framework/workflows/remove-phase.md +155 -155
package/kit/framework/workflows/remove-workspace.md +90 -90
package/kit/framework/workflows/research-phase.md +82 -82
package/kit/framework/workflows/resume-project.md +326 -326
package/kit/framework/workflows/review.md +228 -228
package/kit/framework/workflows/session-report.md +146 -146
package/kit/framework/workflows/settings.md +283 -283
package/kit/framework/workflows/ship.md +228 -228
package/kit/framework/workflows/stats.md +60 -60
package/kit/framework/workflows/transition.md +671 -671
package/kit/framework/workflows/ui-phase.md +302 -302
package/kit/framework/workflows/ui-review.md +165 -165
package/kit/framework/workflows/update.md +323 -323
package/kit/framework/workflows/validate-phase.md +174 -174
package/kit/framework/workflows/verify-phase.md +252 -252
package/kit/framework/workflows/verify-work.md +637 -637
package/kit/hooks/check-update.js +118 -118
package/kit/hooks/context-monitor.js +163 -163
package/kit/hooks/kit-attribution-reminder.cjs +92 -92
package/kit/hooks/kit-router.cjs +137 -137
package/kit/hooks/prompt-guard.js +103 -103
package/kit/hooks/statusline.js +125 -125
package/kit/hooks/workflow-guard.js +101 -101
package/kit/settings.json +45 -45
package/kit/skills/ai-prompt-characterization/SKILL.md +335 -335
package/kit/skills/armadilhas-sistemas-distribuidos/SKILL.md +447 -447
package/kit/skills/audit-log-multi-tenant/SKILL.md +340 -340
package/kit/skills/b2b-saas-architecture/SKILL.md +300 -300
package/kit/skills/consistencia-leitura-replica/SKILL.md +385 -385
package/kit/skills/crm-lead-pipeline-patterns/SKILL.md +343 -343
package/kit/skills/escolha-modelo-consistencia/SKILL.md +494 -494
package/kit/skills/evolucao-schema-compativel/SKILL.md +448 -448
package/kit/skills/evolution-go-whatsapp-integration/SKILL.md +322 -322
package/kit/skills/example-skill/SKILL.md +42 -42
package/kit/skills/legacy-api-only-applications/SKILL.md +358 -358
package/kit/skills/legacy-characterization-tests/SKILL.md +330 -330
package/kit/skills/legacy-effect-analysis/SKILL.md +331 -331
package/kit/skills/legacy-extract-class/SKILL.md +203 -203
package/kit/skills/legacy-programming-by-difference/SKILL.md +252 -252
package/kit/skills/legacy-seams-and-test-harness/SKILL.md +460 -460
package/kit/skills/legacy-shotgun-surgery/SKILL.md +286 -286
package/kit/skills/legacy-sprout-wrap-techniques/SKILL.md +434 -434
package/kit/skills/legacy-storytelling-naked-crc/SKILL.md +270 -270
package/kit/skills/lgpd-multi-tenant-compliance/SKILL.md +340 -340
package/kit/skills/member-invite-flow/SKILL.md +305 -305
package/kit/skills/member-management-react-shadcn/SKILL.md +328 -328
package/kit/skills/multi-tenant-performance-scaling/SKILL.md +316 -316
package/kit/skills/multi-tenant-rls-hierarchy/SKILL.md +342 -342
package/kit/skills/org-onboarding-flow/SKILL.md +257 -257
package/kit/skills/org-switcher-react-pattern/SKILL.md +349 -349
package/kit/skills/permission-gate-react-pattern/SKILL.md +271 -271
package/kit/skills/postgres-isolamento-concorrencia/SKILL.md +552 -552
package/kit/skills/pre-refactor-characterization/SKILL.md +421 -421
package/kit/skills/rbac-permissions-matrix-supabase/SKILL.md +338 -338
package/kit/skills/streams-eventos-cdc/SKILL.md +711 -711
package/kit/skills/supabase-auth-hardening/SKILL.md +674 -674
package/kit/skills/supabase-auth-hooks/SKILL.md +875 -875
package/kit/skills/supabase-auth-methods/SKILL.md +486 -486
package/kit/skills/supabase-auth-sessions/SKILL.md +579 -579
package/kit/skills/supabase-auth-ssr/SKILL.md +306 -306
package/kit/skills/supabase-branching-workflow/SKILL.md +544 -544
package/kit/skills/supabase-ci-cd-github-actions/SKILL.md +880 -880
package/kit/skills/supabase-column-level-security/SKILL.md +426 -426
package/kit/skills/supabase-config-toml-remotes/SKILL.md +807 -807
package/kit/skills/supabase-custom-claims-rbac/SKILL.md +472 -472
package/kit/skills/supabase-edge-functions/SKILL.md +330 -330
package/kit/skills/supabase-edge-functions-auth/SKILL.md +309 -309
package/kit/skills/supabase-edge-functions-limits/SKILL.md +302 -302
package/kit/skills/supabase-edge-functions-mcp-server/SKILL.md +279 -279
package/kit/skills/supabase-edge-functions-testing/SKILL.md +277 -277
package/kit/skills/supabase-edge-runtime-builtins/SKILL.md +357 -357
package/kit/skills/supabase-enterprise-sso-saml/SKILL.md +545 -545
package/kit/skills/supabase-jwt-signing-keys/SKILL.md +399 -399
package/kit/skills/supabase-mfa/SKILL.md +488 -488
package/kit/skills/supabase-migration-repair/SKILL.md +823 -823
package/kit/skills/supabase-migrations/SKILL.md +297 -297
package/kit/skills/supabase-oauth-server/SKILL.md +537 -537
package/kit/skills/supabase-pgtap-testing/SKILL.md +1053 -1053
package/kit/skills/supabase-postgres-roles/SKILL.md +392 -392
package/kit/skills/supabase-realtime/SKILL.md +460 -460
package/kit/skills/supabase-rls-defense-in-depth/SKILL.md +418 -418
package/kit/skills/supabase-rls-policies/SKILL.md +635 -635
package/kit/skills/supabase-social-oauth/SKILL.md +480 -480
package/kit/skills/supabase-third-party-auth/SKILL.md +450 -450
package/kit/skills/super-admin-platform-pattern/SKILL.md +326 -326
package/kit/skills/tenant-quente-mitigacao/SKILL.md +605 -605
package/kit/skills/ui-anti-padroes-ia/SKILL.md +261 -261
package/kit/skills/ui-contexto-produto/SKILL.md +248 -248
package/kit/skills/ui-cor-estrategia/SKILL.md +213 -213
package/kit/skills/ui-critica-auditoria/SKILL.md +260 -260
package/kit/skills/ui-motion-funcional/SKILL.md +264 -264
package/kit/skills/ui-ritmo-espacial/SKILL.md +259 -259
package/kit/skills/ui-tipografia/SKILL.md +211 -211
package/kit/skills/whatsapp-conversation-state-machine/SKILL.md +287 -287
package/kit/workflows/auditar-observabilidade-cobertura.workflow.js +250 -0
package/package.json +65 -63
package/src/core/kit.js +333 -216
package/src/core/reflect.js +247 -247
package/src/core/registry.js +123 -112
package/src/core/reverse-sync.js +448 -372
package/src/core/sync.js +477 -437
package/src/core/watch.js +121 -121
package/src/mcp-server/index.js +794 -794

package/kit/skills/supabase-auth-hooks/SKILL.md CHANGED Viewed

@@ -1,875 +1,875 @@
----
-name: supabase-auth-hooks
-description: Use ao implementar Auth Hooks no Supabase — custom access token, send email/SMS, before user created, MFA e password verification hooks.
----
-# Supabase — Auth Hooks
-## Quando usar
-LLM carrega esta skill quando implementar **Auth Hooks** no Supabase — endpoints que interceptam e modificam o fluxo padrão de autenticação em pontos de execução específicos.
-Trigger phrases:
-- "auth hook Supabase", "custom access token hook"
-- "send email hook", "send sms hook"
-- "before user created hook", "MFA verification hook"
-- "password verification hook"
-- "Postgres function hook", "HTTP hook Supabase"
-- `custom_access_token_hook`, `supabase_auth_admin`
-- "como bloquear signup por domínio", "como customizar email de auth"
-- "hook para rate-limit de login", "Standard Webhooks Supabase"
-## Princípio canônico
-Auth Hooks são **endpoints síncronos** que o Supabase Auth invoca em pontos específicos do fluxo de autenticação. O hook recebe um payload JSON, pode modificar o comportamento e retorna um JSON de resposta. Erros retornados pelo hook **bloqueiam** a operação de auth correspondente.
-**6 hooks disponíveis:**
-| Hook | Disponibilidade | Quando é invocado |
-|------|----------------|-------------------|
-| Before User Created | Free / Pro | Antes de criar novo usuário |
-| Custom Access Token | Free / Pro | Antes de emitir JWT (login + refresh) |
-| Send SMS | Free / Pro | Quando Supabase Auth precisa enviar SMS (OTP, MFA) |
-| Send Email | Free / Pro | Quando Supabase Auth precisa enviar email (confirmação, magic link) |
-| MFA Verification | Teams / Enterprise | Ao verificar código MFA |
-| Password Verification | Teams / Enterprise | Ao verificar senha de login |
-**2 tipos de hook:**
-| Tipo | URI | Quando usar |
-|------|-----|-------------|
-| **Postgres function** | `pg-functions://postgres/public/<nome_fn>` | Lógica simples, acesso direto ao DB, sem I/O externo |
-| **HTTP endpoint** | URL HTTPS | Lógica complexa, chamada a APIs externas, Edge Functions |
-## Modelo de segurança — Postgres Function Hook
-A função hook roda com o Postgres role `supabase_auth_admin` — precisa de grants explícitos:
-```sql
--- OBRIGATÓRIO: grants para supabase_auth_admin
-grant usage on schema public to supabase_auth_admin;
-grant execute
-  on function public.minha_funcao_hook
-  to supabase_auth_admin;
--- OBRIGATÓRIO: revogar de roles públicos
-revoke execute
-  on function public.minha_funcao_hook
-  from authenticated, anon, public;
-```
-**Por quê não usar `security definer`:** prefira grants explícitos — `security definer` faz a função rodar com privilégios do owner (geralmente `postgres`) o que é mais amplo do que necessário. Grants são o mínimo necessário e mais auditáveis.
-**Exceção:** se a função precisar acessar tabelas ou schemas que `supabase_auth_admin` não tem permissão, use `security definer` com `set search_path = ''` para evitar injeção via search_path:
-```sql
-create or replace function public.custom_access_token_hook(event jsonb)
-returns jsonb
-language plpgsql
-stable
--- security definer apenas se necessário para acesso a schema restrito
--- set search_path = ''  -- anti-injeção de schema
-as $$
-  -- implementação
-$$;
-```
-## Modelo de segurança — HTTP Hook
-Hooks HTTP seguem a especificação **Standard Webhooks** para autenticidade das requisições:
-```ts
-// Headers enviados pelo Supabase Auth em cada chamada HTTP ao hook
-// webhook-id: <uuid único por chamada>
-// webhook-timestamp: <unix timestamp em segundos>
-// webhook-signature: v1=<assinatura HMAC-SHA256 base64>
-```
-**Verificar assinatura com a lib `standardwebhooks`:**
-```ts
-// deno / Edge Function
-import { Webhook } from 'https://esm.sh/standardwebhooks@1.0.0'
-const secret = Deno.env.get('SEND_EMAIL_HOOK_SECRET')!
-// formato do secret configurado no Supabase: v1,whsec_<base64-secret>
-Deno.serve(async (req) => {
-  const payload = await req.text()
-  const headers = Object.fromEntries(req.headers)
-  const wh = new Webhook(secret)
-  try {
-    // lança erro se assinatura inválida
-    const event = wh.verify(payload, headers)
-    // processar evento verificado
-    return new Response(JSON.stringify({ success: true }), {
-      headers: { 'Content-Type': 'application/json' },
-    })
-  } catch (err) {
-    // assinatura inválida → rejeitar
-    return new Response(
-      JSON.stringify({ error: { http_code: 401, message: 'Assinatura inválida' } }),
-      { status: 401, headers: { 'Content-Type': 'application/json' } }
-    )
-  }
-})
-```
-**Formato do secret:** Supabase gera um secret no formato `v1,whsec_<base64>` — usar exatamente este formato ao instanciar `new Webhook(secret)`.
-## Configuração — Dashboard e config.toml
-**Via Dashboard (produção):**
-1. Acessar `Authentication > Hooks` no Dashboard
-2. Selecionar o tipo de hook (ex: "Custom Access Token")
-3. Escolher tipo: Postgres function ou HTTP
-4. Para Postgres: selecionar a função no dropdown
-5. Para HTTP: digitar a URL + configurar o secret
-6. Salvar
-**Via `config.toml` (desenvolvimento local):**
-```toml
-# supabase/config.toml
-# Custom Access Token Hook (Postgres function)
-[auth.hook.custom_access_token]
-enabled = true
-uri = "pg-functions://postgres/public/custom_access_token_hook"
-# Custom Access Token Hook (HTTP — Edge Function local)
-[auth.hook.custom_access_token]
-enabled = true
-uri = "http://localhost:54321/functions/v1/custom-access-token-hook"
-secrets = "v1,whsec_dGVzdHNlY3JldA=="
-# Send Email Hook
-[auth.hook.send_email]
-enabled = true
-uri = "http://localhost:54321/functions/v1/send-email-hook"
-secrets = "v1,whsec_dGVzdHNlY3JldA=="
-# Send SMS Hook
-[auth.hook.send_sms]
-enabled = true
-uri = "http://localhost:54321/functions/v1/send-sms-hook"
-secrets = "v1,whsec_dGVzdHNlY3JldA=="
-# Before User Created Hook
-[auth.hook.before_user_created]
-enabled = true
-uri = "pg-functions://postgres/public/before_user_created_hook"
-# MFA Verification Hook (apenas Teams/Enterprise)
-[auth.hook.mfa_verification_attempt]
-enabled = true
-uri = "pg-functions://postgres/public/mfa_verification_hook"
-# Password Verification Hook (apenas Teams/Enterprise)
-[auth.hook.password_verification_attempt]
-enabled = true
-uri = "pg-functions://postgres/public/password_verification_hook"
-```
-## Error Handling — Status Codes e Retry
-**Formato de erro retornado pelo hook:**
-```json
-{
-  "error": {
-    "http_code": 403,
-    "message": "Domínio de email não permitido"
-  }
-}
-```
-**Comportamento por status code:**
-| Status code retornado pelo hook | Comportamento do Supabase Auth |
-|---------------------------------|-------------------------------|
-| `200` / `202` / `204` | Sucesso — continua o fluxo de auth |
-| `400` | Falha permanente — converte em `500` para o cliente (não retry) |
-| `403` | Falha permanente — converte em `500` para o cliente (não retry) |
-| `429` | Rate-limit — **retry** automático (usar header `Retry-After`) |
-| `503` | Serviço indisponível — **retry** automático |
-**Respostas retry-able:**
-```ts
-// Hook que sinaliza rate-limit com retry
-return new Response(
-  JSON.stringify({ error: { http_code: 429, message: 'Muitas tentativas' } }),
-  {
-    status: 429,
-    headers: {
-      'Content-Type': 'application/json',
-      'Retry-After': '60',  // Supabase Auth vai retentar após 60 segundos
-    },
-  }
-)
-```
-**Regra:** TODAS as respostas de hook (sucesso ou erro) devem ter header `Content-Type: application/json`.
-## Hook 1 — Custom Access Token
-Invocado antes de cada emissão de JWT (login inicial + refresh). Permite injetar claims customizados.
-**Input:**
-```json
-{
-  "user_id": "uuid-do-usuario",
-  "claims": {
-    "aal": "aal1",
-    "sub": "uuid-do-usuario",
-    "email": "usuario@empresa.com",
-    "role": "authenticated",
-    "exp": 1704067200,
-    "iat": 1704063600,
-    "iss": "https://proj.supabase.co/auth/v1",
-    "session_id": "uuid-da-sessao",
-    "amr": [{"method": "password", "timestamp": 1704063600}]
-  },
-  "authentication_method": "password"
-}
-```
-**Output (modificar claims):**
-```json
-{
-  "claims": {
-    "aal": "aal1",
-    "sub": "uuid-do-usuario",
-    "email": "usuario@empresa.com",
-    "role": "authenticated",
-    "exp": 1704067200,
-    "iat": 1704063600,
-    "iss": "https://proj.supabase.co/auth/v1",
-    "session_id": "uuid-da-sessao",
-    "amr": [{"method": "password", "timestamp": 1704063600}],
-    "user_role": "admin",
-    "org_id": "uuid-da-org"
-  }
-}
-```
-**Implementação Postgres canônica (ver skill `supabase-custom-claims-rbac` para pattern completo):**
-```sql
-create or replace function public.custom_access_token_hook(event jsonb)
-returns jsonb
-language plpgsql
-stable
-as $$
-  declare
-    claims jsonb;
-    user_role public.app_role;
-  begin
-    select role into user_role
-    from public.user_roles
-    where user_id = (event->>'user_id')::uuid;
-    claims := event->'claims';
-    claims := jsonb_set(
-      claims,
-      '{user_role}',
-      case when user_role is not null then to_jsonb(user_role) else 'null'::jsonb end
-    );
-    return jsonb_set(event, '{claims}', claims);
-  end;
-$$;
--- grants obrigatórios
-grant usage on schema public to supabase_auth_admin;
-grant execute on function public.custom_access_token_hook to supabase_auth_admin;
-revoke execute on function public.custom_access_token_hook from authenticated, anon, public;
-grant all on table public.user_roles to supabase_auth_admin;
-```
-**Usos canônicos do Custom Access Token hook:**
-- Reduzir tamanho do JWT (omitir claims não necessários)
-- Adicionar claim `user_role`, `org_id`, `plan` ao JWT
-- Restringir login por tipo de autenticação (`authentication_method`)
-- Adicionar claim `is_admin` baseado em SSO provider
-```sql
--- restringir acesso por método de autenticação (ex: SSO apenas para admins)
-create or replace function public.custom_access_token_hook(event jsonb)
-returns jsonb
-language plpgsql
-stable
-as $$
-  declare
-    claims jsonb;
-    auth_method text;
-  begin
-    auth_method := event->>'authentication_method';
-    claims := event->'claims';
-    -- adicionar claim que indica se login foi via SSO
-    claims := jsonb_set(claims, '{via_sso}', to_jsonb(auth_method = 'sso/saml'));
-    return jsonb_set(event, '{claims}', claims);
-  end;
-$$;
-```
-## Hook 2 — Before User Created
-Invocado antes de criar um novo usuário. Retornar `error` **rejeita** o signup.
-**Input:**
-```json
-{
-  "user": {
-    "id": "uuid-gerado",
-    "email": "novo@dominio.com",
-    "phone": "",
-    "app_metadata": {},
-    "user_metadata": {"nome": "João"},
-    "identities": [],
-    "created_at": "2026-05-19T00:00:00Z",
-    "updated_at": "2026-05-19T00:00:00Z"
-  }
-}
-```
-**Bloquear domínios descartáveis:**
-```sql
-create or replace function public.before_user_created_hook(event jsonb)
-returns jsonb
-language plpgsql
-stable
-as $$
-  declare
-    email_address text;
-    email_domain  text;
-    dominio_bloqueado bool;
-  begin
-    email_address := event->'user'->>'email';
-    email_domain  := split_part(email_address, '@', 2);
-    -- checar em tabela de domínios bloqueados
-    select exists(
-      select 1 from public.blocked_email_domains
-      where domain = lower(email_domain)
-    ) into dominio_bloqueado;
-    if dominio_bloqueado then
-      return jsonb_build_object(
-        'error', jsonb_build_object(
-          'http_code', 422,
-          'message', 'Domínio de email não permitido. Use um email corporativo.'
-        )
-      );
-    end if;
-    -- retornar event sem modificações (signup permitido)
-    return event;
-  end;
-$$;
--- tabela de domínios bloqueados
-create table public.blocked_email_domains (
-  domain text primary key,
-  motivo text,
-  criado_em timestamptz default now()
-);
--- seed inicial de domínios descartáveis comuns
-insert into public.blocked_email_domains (domain, motivo) values
-  ('mailinator.com', 'Email descartável'),
-  ('guerrillamail.com', 'Email descartável'),
-  ('tempmail.com', 'Email descartável'),
-  ('throwam.com', 'Email descartável'),
-  ('yopmail.com', 'Email descartável');
--- grants
-grant usage on schema public to supabase_auth_admin;
-grant execute on function public.before_user_created_hook to supabase_auth_admin;
-revoke execute on function public.before_user_created_hook from authenticated, anon, public;
-grant select on table public.blocked_email_domains to supabase_auth_admin;
-```
-**Bloquear por provider — rejeitar signup via email (apenas SSO permitido):**
-```sql
--- em aplicação B2B que só aceita login via SSO corporativo
-create or replace function public.before_user_created_hook(event jsonb)
-returns jsonb
-language plpgsql
-stable
-as $$
-  declare
-    identities jsonb;
-    tem_sso bool;
-  begin
-    identities := event->'user'->'identities';
-    -- checar se tem identidade SSO (provider começa com 'sso:')
-    select exists(
-      select 1 from jsonb_array_elements(identities) as i
-      where (i->>'provider') like 'sso:%'
-    ) into tem_sso;
-    if not tem_sso then
-      return jsonb_build_object(
-        'error', jsonb_build_object(
-          'http_code', 403,
-          'message', 'Apenas login via SSO corporativo é permitido.'
-        )
-      );
-    end if;
-    return event;
-  end;
-$$;
-```
-## Hook 3 — Send SMS
-Substitui o envio de SMS do Supabase por provider customizado (Twilio, AWS SNS, Vonage).
-**Input:**
-```json
-{
-  "user": { "id": "uuid", "phone": "+5511999999999" },
-  "sms": { "otp": "123456" }
-}
-```
-**Edge Function com Twilio:**
-```ts
-// supabase/functions/send-sms-hook/index.ts
-import { Webhook } from 'https://esm.sh/standardwebhooks@1.0.0'
-const secret = Deno.env.get('SEND_SMS_HOOK_SECRET')!
-const TWILIO_ACCOUNT_SID = Deno.env.get('TWILIO_ACCOUNT_SID')!
-const TWILIO_AUTH_TOKEN = Deno.env.get('TWILIO_AUTH_TOKEN')!
-const TWILIO_FROM = Deno.env.get('TWILIO_FROM_NUMBER')!
-Deno.serve(async (req) => {
-  const payload = await req.text()
-  const headers = Object.fromEntries(req.headers)
-  // verificar assinatura Standard Webhooks
-  const wh = new Webhook(secret)
-  let event: { user: { phone: string }; sms: { otp: string } }
-  try {
-    event = wh.verify(payload, headers) as typeof event
-  } catch {
-    return new Response(
-      JSON.stringify({ error: { http_code: 401, message: 'Assinatura inválida' } }),
-      { status: 401, headers: { 'Content-Type': 'application/json' } }
-    )
-  }
-  const { phone } = event.user
-  const { otp } = event.sms
-  // enviar via Twilio
-  const resp = await fetch(
-    `https://api.twilio.com/2010-04-01/Accounts/${TWILIO_ACCOUNT_SID}/Messages.json`,
-    {
-      method: 'POST',
-      headers: {
-        Authorization: `Basic ${btoa(`${TWILIO_ACCOUNT_SID}:${TWILIO_AUTH_TOKEN}`)}`,
-        'Content-Type': 'application/x-www-form-urlencoded',
-      },
-      body: new URLSearchParams({
-        To: phone,
-        From: TWILIO_FROM,
-        Body: `Seu código de verificação: ${otp}. Válido por 5 minutos.`,
-      }),
-    }
-  )
-  if (!resp.ok) {
-    const err = await resp.json()
-    console.error('Erro Twilio:', err)
-    // 503 → Supabase vai retentar
-    return new Response(
-      JSON.stringify({ error: { http_code: 503, message: 'Falha no envio de SMS' } }),
-      { status: 503, headers: { 'Content-Type': 'application/json', 'Retry-After': '30' } }
-    )
-  }
-  return new Response(JSON.stringify({}), {
-    headers: { 'Content-Type': 'application/json' },
-  })
-})
-```
-## Hook 4 — Send Email
-Substitui emails transacionais do Supabase por provider customizado (Resend, SendGrid, AWS SES).
-**Input (exemplo para magic link):**
-```json
-{
-  "user": { "id": "uuid", "email": "usuario@empresa.com" },
-  "email_data": {
-    "token": "token-opaque",
-    "token_hash": "hash-do-token",
-    "redirect_to": "https://app.com/auth/callback",
-    "email_action_type": "magic_link",
-    "site_url": "https://app.com",
-    "token_new": "",
-    "token_hash_new": ""
-  }
-}
-```
-**Tipos de `email_action_type`:** `signup`, `magic_link`, `recovery`, `invite`, `email_change_new`, `email_change_current`.
-**Edge Function com Resend:**
-```ts
-// supabase/functions/send-email-hook/index.ts
-import { Webhook } from 'https://esm.sh/standardwebhooks@1.0.0'
-const secret = Deno.env.get('SEND_EMAIL_HOOK_SECRET')!
-const RESEND_API_KEY = Deno.env.get('RESEND_API_KEY')!
-type EmailActionType = 'signup' | 'magic_link' | 'recovery' | 'invite' |
-  'email_change_new' | 'email_change_current'
-function montarConteudo(tipo: EmailActionType, emailData: any): { subject: string; html: string } {
-  const link = `${emailData.site_url}/auth/confirm?token_hash=${emailData.token_hash}&type=${tipo}&next=${emailData.redirect_to}`
-  switch (tipo) {
-    case 'magic_link':
-      return {
-        subject: 'Seu link de acesso',
-        html: `<p>Clique <a href="${link}">aqui</a> para acessar. Válido por 1 hora.</p>`,
-      }
-    case 'signup':
-      return {
-        subject: 'Confirme seu email',
-        html: `<p>Bem-vindo! <a href="${link}">Confirme seu email</a> para começar.</p>`,
-      }
-    case 'recovery':
-      return {
-        subject: 'Recuperação de senha',
-        html: `<p><a href="${link}">Redefina sua senha</a>. Válido por 1 hora.</p>`,
-      }
-    default:
-      return {
-        subject: 'Ação necessária',
-        html: `<p><a href="${link}">Clique aqui</a> para continuar.</p>`,
-      }
-  }
-}
-Deno.serve(async (req) => {
-  const payload = await req.text()
-  const headers = Object.fromEntries(req.headers)
-  const wh = new Webhook(secret)
-  let event: { user: { email: string }; email_data: any }
-  try {
-    event = wh.verify(payload, headers) as typeof event
-  } catch {
-    return new Response(
-      JSON.stringify({ error: { http_code: 401, message: 'Assinatura inválida' } }),
-      { status: 401, headers: { 'Content-Type': 'application/json' } }
-    )
-  }
-  const { email } = event.user
-  const { email_action_type, ...emailData } = event.email_data
-  const { subject, html } = montarConteudo(email_action_type, { email_action_type, ...emailData })
-  const resp = await fetch('https://api.resend.com/emails', {
-    method: 'POST',
-    headers: {
-      Authorization: `Bearer ${RESEND_API_KEY}`,
-      'Content-Type': 'application/json',
-    },
-    body: JSON.stringify({
-      from: 'no-reply@empresa.com',
-      to: [email],
-      subject,
-      html,
-    }),
-  })
-  if (!resp.ok) {
-    return new Response(
-      JSON.stringify({ error: { http_code: 503, message: 'Falha no envio de email' } }),
-      { status: 503, headers: { 'Content-Type': 'application/json', 'Retry-After': '60' } }
-    )
-  }
-  return new Response(JSON.stringify({}), {
-    headers: { 'Content-Type': 'application/json' },
-  })
-})
-```
-## Hook 5 — MFA Verification (Teams/Enterprise)
-Rate-limit customizado para tentativas de verificação MFA. Roda a cada `mfa.verify()`.
-**Input:**
-```json
-{
-  "factor_id": "uuid-do-fator",
-  "factor_type": "totp",
-  "user_id": "uuid-do-usuario",
-  "valid": true
-}
-```
-**Output:**
-```json
-{
-  "decision": "continue",
-  "message": ""
-}
-```
-```sql
--- rate-limit: máximo 5 tentativas erradas em 15 minutos
-create table public.mfa_attempt_log (
-  user_id     uuid not null references auth.users(id) on delete cascade,
-  factor_id   uuid not null,
-  tentativa   timestamptz not null default now(),
-  sucesso     boolean not null
-);
-create index on public.mfa_attempt_log (user_id, tentativa);
-create or replace function public.mfa_verification_hook(event jsonb)
-returns jsonb
-language plpgsql
-as $$
-  declare
-    user_id_val   uuid;
-    factor_id_val uuid;
-    valida        bool;
-    tentativas_erradas int;
-  begin
-    user_id_val   := (event->>'user_id')::uuid;
-    factor_id_val := (event->>'factor_id')::uuid;
-    valida        := (event->>'valid')::boolean;
-    -- checar tentativas erradas nos últimos 15 minutos
-    select count(*) into tentativas_erradas
-    from public.mfa_attempt_log
-    where user_id = user_id_val
-      and factor_id = factor_id_val
-      and sucesso = false
-      and tentativa > now() - interval '15 minutes';
-    -- logar tentativa atual
-    insert into public.mfa_attempt_log (user_id, factor_id, sucesso)
-    values (user_id_val, factor_id_val, valida);
-    if tentativas_erradas >= 5 then
-      return jsonb_build_object(
-        'decision', 'reject',
-        'message', 'Muitas tentativas incorretas. Aguarde 15 minutos.'
-      );
-    end if;
-    return jsonb_build_object('decision', 'continue', 'message', '');
-  end;
-$$;
-grant usage on schema public to supabase_auth_admin;
-grant execute on function public.mfa_verification_hook to supabase_auth_admin;
-revoke execute on function public.mfa_verification_hook from authenticated, anon, public;
-grant all on table public.mfa_attempt_log to supabase_auth_admin;
-```
-## Hook 6 — Password Verification (Teams/Enterprise)
-Bloquear login após N tentativas erradas de senha.
-**Input:**
-```json
-{
-  "user_id": "uuid-do-usuario",
-  "valid": false
-}
-```
-```sql
-create or replace function public.password_verification_hook(event jsonb)
-returns jsonb
-language plpgsql
-as $$
-  declare
-    uid            uuid;
-    valida         bool;
-    erros_recentes int;
-  begin
-    uid    := (event->>'user_id')::uuid;
-    valida := (event->>'valid')::boolean;
-    -- logar tentativa
-    insert into public.login_attempt_log (user_id, sucesso)
-    values (uid, valida);
-    -- contar erros nos últimos 30 minutos (apenas se tentativa inválida)
-    if not valida then
-      select count(*) into erros_recentes
-      from public.login_attempt_log
-      where user_id = uid
-        and sucesso = false
-        and tentativa > now() - interval '30 minutes';
-      if erros_recentes >= 10 then
-        return jsonb_build_object(
-          'decision', 'reject',
-          'message', 'Conta temporariamente bloqueada. Tente novamente em 30 minutos.'
-        );
-      end if;
-    end if;
-    return jsonb_build_object('decision', 'continue', 'message', '');
-  end;
-$$;
-create table public.login_attempt_log (
-  id        bigint generated by default as identity primary key,
-  user_id   uuid not null references auth.users(id) on delete cascade,
-  sucesso   boolean not null,
-  tentativa timestamptz default now()
-);
-create index on public.login_attempt_log (user_id, tentativa);
-grant usage on schema public to supabase_auth_admin;
-grant execute on function public.password_verification_hook to supabase_auth_admin;
-revoke execute on function public.password_verification_hook from authenticated, anon, public;
-grant all on table public.login_attempt_log to supabase_auth_admin;
-```
-## Regras absolutas
-1. **SEMPRE `grant execute` ao `supabase_auth_admin`** — sem este grant, hook Postgres falha silenciosamente; JWT é emitido sem modificações.
-2. **SEMPRE `revoke execute` de `authenticated`, `anon`, `public`** — sem isso, qualquer cliente pode invocar a função diretamente.
-3. **Hooks HTTP devem verificar assinatura Standard Webhooks** — usar `standardwebhooks` com o secret configurado. Nunca processar payload sem verificação.
-4. **Evitar `security definer` desnecessariamente** — prefira grants explícitos; `security definer` amplia o acesso mais do que necessário.
-5. **TODAS as respostas precisam `Content-Type: application/json`** — Supabase Auth rejeita respostas sem este header.
-6. **Hook deve ser rápido (< 10ms idealmente)** — roda a cada login e refresh; query lenta degrada latência de auth de toda a aplicação.
-7. **Hooks MFA/Password Verification são Teams/Enterprise only** — verificar plano antes de implementar.
-## Anti-patterns
-### Anti-pattern 1: Esquecer grants ao supabase_auth_admin
-**Errado:**
-```sql
-create or replace function public.custom_access_token_hook(event jsonb)
-returns jsonb language plpgsql stable as $$
-  -- implementação aqui
-$$;
--- sem GRANT EXECUTE TO supabase_auth_admin
--- sem REVOKE de anon/authenticated
-```
-**Por quê:** Auth hook falha silenciosamente. O JWT é gerado **sem** as modificações do hook — claims customizados não aparecem. Difícil de debugar pois não há erro explícito.
-**Certo:**
-```sql
--- SEMPRE após criar a função
-grant usage on schema public to supabase_auth_admin;
-grant execute on function public.custom_access_token_hook to supabase_auth_admin;
-revoke execute on function public.custom_access_token_hook from authenticated, anon, public;
-```
-### Anti-pattern 2: Não verificar assinatura do webhook HTTP
-**Errado:**
-```ts
-Deno.serve(async (req) => {
-  const event = await req.json()  // ERRADO: aceitar sem verificar assinatura
-  // processar event...
-})
-```
-**Por quê:** qualquer requisição HTTP pode acionar o hook — atacante pode forjar eventos de auth e manipular JWTs, criar usuários, etc.
-**Certo:** sempre verificar com `standardwebhooks`:
-```ts
-const wh = new Webhook(secret)
-const event = wh.verify(payload, headers)  // lança erro se inválido
-```
-### Anti-pattern 3: Hook com query custosa (JOINs, N+1)
-**Errado:**
-```sql
-create or replace function public.custom_access_token_hook(event jsonb)
-returns jsonb language plpgsql stable as $$
-  declare claims jsonb;
-  begin
-    claims := event->'claims';
-    -- query com múltiplos JOINs — roda em CADA login e refresh
-    select jsonb_build_object(
-      'org_name', o.name,
-      'plan', s.plan,
-      'feature_flags', ff.flags
-    ) into ...
-    from auth.users u
-      join public.organizations o on u.raw_user_meta_data->>'org_id' = o.id::text
-      join public.subscriptions s on o.id = s.org_id
-      join public.feature_flags ff on s.plan = ff.plan
-    where u.id = (event->>'user_id')::uuid;
-    -- ...
-  end;
-$$;
-```
-**Por quê:** hook roda em cada login E cada refresh de JWT. Query com JOINs pode adicionar 50-200ms em cada operação de auth — inaceitável em produção.
-**Certo:** denormalizar dados na tabela de roles/perfis; hook faz query simples em única tabela:
-```sql
--- tabela denormalizada: user_profile com tudo necessário
-select org_name, plan, feature_flags
-into user_data
-from public.user_profiles
-where user_id = (event->>'user_id')::uuid;
-```
-### Anti-pattern 4: Usar `security definer` desnecessariamente
-**Errado:**
-```sql
-create or replace function public.before_user_created_hook(event jsonb)
-returns jsonb
-language plpgsql
-security definer   -- DESNECESSÁRIO se grants explícitos suficientes
-as $$
-  -- ...
-$$;
-```
-**Por quê:** `security definer` faz a função rodar com privilégios do owner (`postgres`) — acesso irrestrito a todos os schemas e tabelas. Risco de path injection e acesso não intencional.
-**Certo:** grants explícitos ao `supabase_auth_admin` para tabelas específicas + sem `security definer`:
-```sql
-grant select on table public.blocked_email_domains to supabase_auth_admin;
--- sem security definer na função
-```
-## Ver também
-- [supabase-custom-claims-rbac](../supabase-custom-claims-rbac/SKILL.md) — `custom_access_token_hook` completo com RBAC
-- [supabase-edge-functions-auth](../supabase-edge-functions-auth/SKILL.md) — autenticação e segurança em Edge Functions
-- [supabase-mfa](../supabase-mfa/SKILL.md) — MFA TOTP e Phone; MFA Verification Hook para rate-limit
-- [supabase-rls-policies](../supabase-rls-policies/SKILL.md) — políticas RLS que consomem claims do `custom_access_token_hook`
-- [supabase-auth-hook-writer](../../agents/supabase-auth-hook-writer.md) — agente que escreve Auth Hooks com grants corretos e testes
+---
+name: supabase-auth-hooks
+description: Use ao implementar Auth Hooks no Supabase — custom access token, send email/SMS, before user created, MFA e password verification hooks.
+---
+# Supabase — Auth Hooks
+## Quando usar
+LLM carrega esta skill quando implementar **Auth Hooks** no Supabase — endpoints que interceptam e modificam o fluxo padrão de autenticação em pontos de execução específicos.
+Trigger phrases:
+- "auth hook Supabase", "custom access token hook"
+- "send email hook", "send sms hook"
+- "before user created hook", "MFA verification hook"
+- "password verification hook"
+- "Postgres function hook", "HTTP hook Supabase"
+- `custom_access_token_hook`, `supabase_auth_admin`
+- "como bloquear signup por domínio", "como customizar email de auth"
+- "hook para rate-limit de login", "Standard Webhooks Supabase"
+## Princípio canônico
+Auth Hooks são **endpoints síncronos** que o Supabase Auth invoca em pontos específicos do fluxo de autenticação. O hook recebe um payload JSON, pode modificar o comportamento e retorna um JSON de resposta. Erros retornados pelo hook **bloqueiam** a operação de auth correspondente.
+**6 hooks disponíveis:**
+| Hook | Disponibilidade | Quando é invocado |
+|------|----------------|-------------------|
+| Before User Created | Free / Pro | Antes de criar novo usuário |
+| Custom Access Token | Free / Pro | Antes de emitir JWT (login + refresh) |
+| Send SMS | Free / Pro | Quando Supabase Auth precisa enviar SMS (OTP, MFA) |
+| Send Email | Free / Pro | Quando Supabase Auth precisa enviar email (confirmação, magic link) |
+| MFA Verification | Teams / Enterprise | Ao verificar código MFA |
+| Password Verification | Teams / Enterprise | Ao verificar senha de login |
+**2 tipos de hook:**
+| Tipo | URI | Quando usar |
+|------|-----|-------------|
+| **Postgres function** | `pg-functions://postgres/public/<nome_fn>` | Lógica simples, acesso direto ao DB, sem I/O externo |
+| **HTTP endpoint** | URL HTTPS | Lógica complexa, chamada a APIs externas, Edge Functions |
+## Modelo de segurança — Postgres Function Hook
+A função hook roda com o Postgres role `supabase_auth_admin` — precisa de grants explícitos:
+```sql
+-- OBRIGATÓRIO: grants para supabase_auth_admin
+grant usage on schema public to supabase_auth_admin;
+grant execute
+  on function public.minha_funcao_hook
+  to supabase_auth_admin;
+-- OBRIGATÓRIO: revogar de roles públicos
+revoke execute
+  on function public.minha_funcao_hook
+  from authenticated, anon, public;
+```
+**Por quê não usar `security definer`:** prefira grants explícitos — `security definer` faz a função rodar com privilégios do owner (geralmente `postgres`) o que é mais amplo do que necessário. Grants são o mínimo necessário e mais auditáveis.
+**Exceção:** se a função precisar acessar tabelas ou schemas que `supabase_auth_admin` não tem permissão, use `security definer` com `set search_path = ''` para evitar injeção via search_path:
+```sql
+create or replace function public.custom_access_token_hook(event jsonb)
+returns jsonb
+language plpgsql
+stable
+-- security definer apenas se necessário para acesso a schema restrito
+-- set search_path = ''  -- anti-injeção de schema
+as $$
+  -- implementação
+$$;
+```
+## Modelo de segurança — HTTP Hook
+Hooks HTTP seguem a especificação **Standard Webhooks** para autenticidade das requisições:
+```ts
+// Headers enviados pelo Supabase Auth em cada chamada HTTP ao hook
+// webhook-id: <uuid único por chamada>
+// webhook-timestamp: <unix timestamp em segundos>
+// webhook-signature: v1=<assinatura HMAC-SHA256 base64>
+```
+**Verificar assinatura com a lib `standardwebhooks`:**
+```ts
+// deno / Edge Function
+import { Webhook } from 'https://esm.sh/standardwebhooks@1.0.0'
+const secret = Deno.env.get('SEND_EMAIL_HOOK_SECRET')!
+// formato do secret configurado no Supabase: v1,whsec_<base64-secret>
+Deno.serve(async (req) => {
+  const payload = await req.text()
+  const headers = Object.fromEntries(req.headers)
+  const wh = new Webhook(secret)
+  try {
+    // lança erro se assinatura inválida
+    const event = wh.verify(payload, headers)
+    // processar evento verificado
+    return new Response(JSON.stringify({ success: true }), {
+      headers: { 'Content-Type': 'application/json' },
+    })
+  } catch (err) {
+    // assinatura inválida → rejeitar
+    return new Response(
+      JSON.stringify({ error: { http_code: 401, message: 'Assinatura inválida' } }),
+      { status: 401, headers: { 'Content-Type': 'application/json' } }
+    )
+  }
+})
+```
+**Formato do secret:** Supabase gera um secret no formato `v1,whsec_<base64>` — usar exatamente este formato ao instanciar `new Webhook(secret)`.
+## Configuração — Dashboard e config.toml
+**Via Dashboard (produção):**
+1. Acessar `Authentication > Hooks` no Dashboard
+2. Selecionar o tipo de hook (ex: "Custom Access Token")
+3. Escolher tipo: Postgres function ou HTTP
+4. Para Postgres: selecionar a função no dropdown
+5. Para HTTP: digitar a URL + configurar o secret
+6. Salvar
+**Via `config.toml` (desenvolvimento local):**
+```toml
+# supabase/config.toml
+# Custom Access Token Hook (Postgres function)
+[auth.hook.custom_access_token]
+enabled = true
+uri = "pg-functions://postgres/public/custom_access_token_hook"
+# Custom Access Token Hook (HTTP — Edge Function local)
+[auth.hook.custom_access_token]
+enabled = true
+uri = "http://localhost:54321/functions/v1/custom-access-token-hook"
+secrets = "v1,whsec_dGVzdHNlY3JldA=="
+# Send Email Hook
+[auth.hook.send_email]
+enabled = true
+uri = "http://localhost:54321/functions/v1/send-email-hook"
+secrets = "v1,whsec_dGVzdHNlY3JldA=="
+# Send SMS Hook
+[auth.hook.send_sms]
+enabled = true
+uri = "http://localhost:54321/functions/v1/send-sms-hook"
+secrets = "v1,whsec_dGVzdHNlY3JldA=="
+# Before User Created Hook
+[auth.hook.before_user_created]
+enabled = true
+uri = "pg-functions://postgres/public/before_user_created_hook"
+# MFA Verification Hook (apenas Teams/Enterprise)
+[auth.hook.mfa_verification_attempt]
+enabled = true
+uri = "pg-functions://postgres/public/mfa_verification_hook"
+# Password Verification Hook (apenas Teams/Enterprise)
+[auth.hook.password_verification_attempt]
+enabled = true
+uri = "pg-functions://postgres/public/password_verification_hook"
+```
+## Error Handling — Status Codes e Retry
+**Formato de erro retornado pelo hook:**
+```json
+{
+  "error": {
+    "http_code": 403,
+    "message": "Domínio de email não permitido"
+  }
+}
+```
+**Comportamento por status code:**
+| Status code retornado pelo hook | Comportamento do Supabase Auth |
+|---------------------------------|-------------------------------|
+| `200` / `202` / `204` | Sucesso — continua o fluxo de auth |
+| `400` | Falha permanente — converte em `500` para o cliente (não retry) |
+| `403` | Falha permanente — converte em `500` para o cliente (não retry) |
+| `429` | Rate-limit — **retry** automático (usar header `Retry-After`) |
+| `503` | Serviço indisponível — **retry** automático |
+**Respostas retry-able:**
+```ts
+// Hook que sinaliza rate-limit com retry
+return new Response(
+  JSON.stringify({ error: { http_code: 429, message: 'Muitas tentativas' } }),
+  {
+    status: 429,
+    headers: {
+      'Content-Type': 'application/json',
+      'Retry-After': '60',  // Supabase Auth vai retentar após 60 segundos
+    },
+  }
+)
+```
+**Regra:** TODAS as respostas de hook (sucesso ou erro) devem ter header `Content-Type: application/json`.
+## Hook 1 — Custom Access Token
+Invocado antes de cada emissão de JWT (login inicial + refresh). Permite injetar claims customizados.
+**Input:**
+```json
+{
+  "user_id": "uuid-do-usuario",
+  "claims": {
+    "aal": "aal1",
+    "sub": "uuid-do-usuario",
+    "email": "usuario@empresa.com",
+    "role": "authenticated",
+    "exp": 1704067200,
+    "iat": 1704063600,
+    "iss": "https://proj.supabase.co/auth/v1",
+    "session_id": "uuid-da-sessao",
+    "amr": [{"method": "password", "timestamp": 1704063600}]
+  },
+  "authentication_method": "password"
+}
+```
+**Output (modificar claims):**
+```json
+{
+  "claims": {
+    "aal": "aal1",
+    "sub": "uuid-do-usuario",
+    "email": "usuario@empresa.com",
+    "role": "authenticated",
+    "exp": 1704067200,
+    "iat": 1704063600,
+    "iss": "https://proj.supabase.co/auth/v1",
+    "session_id": "uuid-da-sessao",
+    "amr": [{"method": "password", "timestamp": 1704063600}],
+    "user_role": "admin",
+    "org_id": "uuid-da-org"
+  }
+}
+```
+**Implementação Postgres canônica (ver skill `supabase-custom-claims-rbac` para pattern completo):**
+```sql
+create or replace function public.custom_access_token_hook(event jsonb)
+returns jsonb
+language plpgsql
+stable
+as $$
+  declare
+    claims jsonb;
+    user_role public.app_role;
+  begin
+    select role into user_role
+    from public.user_roles
+    where user_id = (event->>'user_id')::uuid;
+    claims := event->'claims';
+    claims := jsonb_set(
+      claims,
+      '{user_role}',
+      case when user_role is not null then to_jsonb(user_role) else 'null'::jsonb end
+    );
+    return jsonb_set(event, '{claims}', claims);
+  end;
+$$;
+-- grants obrigatórios
+grant usage on schema public to supabase_auth_admin;
+grant execute on function public.custom_access_token_hook to supabase_auth_admin;
+revoke execute on function public.custom_access_token_hook from authenticated, anon, public;
+grant all on table public.user_roles to supabase_auth_admin;
+```
+**Usos canônicos do Custom Access Token hook:**
+- Reduzir tamanho do JWT (omitir claims não necessários)
+- Adicionar claim `user_role`, `org_id`, `plan` ao JWT
+- Restringir login por tipo de autenticação (`authentication_method`)
+- Adicionar claim `is_admin` baseado em SSO provider
+```sql
+-- restringir acesso por método de autenticação (ex: SSO apenas para admins)
+create or replace function public.custom_access_token_hook(event jsonb)
+returns jsonb
+language plpgsql
+stable
+as $$
+  declare
+    claims jsonb;
+    auth_method text;
+  begin
+    auth_method := event->>'authentication_method';
+    claims := event->'claims';
+    -- adicionar claim que indica se login foi via SSO
+    claims := jsonb_set(claims, '{via_sso}', to_jsonb(auth_method = 'sso/saml'));
+    return jsonb_set(event, '{claims}', claims);
+  end;
+$$;
+```
+## Hook 2 — Before User Created
+Invocado antes de criar um novo usuário. Retornar `error` **rejeita** o signup.
+**Input:**
+```json
+{
+  "user": {
+    "id": "uuid-gerado",
+    "email": "novo@dominio.com",
+    "phone": "",
+    "app_metadata": {},
+    "user_metadata": {"nome": "João"},
+    "identities": [],
+    "created_at": "2026-05-19T00:00:00Z",
+    "updated_at": "2026-05-19T00:00:00Z"
+  }
+}
+```
+**Bloquear domínios descartáveis:**
+```sql
+create or replace function public.before_user_created_hook(event jsonb)
+returns jsonb
+language plpgsql
+stable
+as $$
+  declare
+    email_address text;
+    email_domain  text;
+    dominio_bloqueado bool;
+  begin
+    email_address := event->'user'->>'email';
+    email_domain  := split_part(email_address, '@', 2);
+    -- checar em tabela de domínios bloqueados
+    select exists(
+      select 1 from public.blocked_email_domains
+      where domain = lower(email_domain)
+    ) into dominio_bloqueado;
+    if dominio_bloqueado then
+      return jsonb_build_object(
+        'error', jsonb_build_object(
+          'http_code', 422,
+          'message', 'Domínio de email não permitido. Use um email corporativo.'
+        )
+      );
+    end if;
+    -- retornar event sem modificações (signup permitido)
+    return event;
+  end;
+$$;
+-- tabela de domínios bloqueados
+create table public.blocked_email_domains (
+  domain text primary key,
+  motivo text,
+  criado_em timestamptz default now()
+);
+-- seed inicial de domínios descartáveis comuns
+insert into public.blocked_email_domains (domain, motivo) values
+  ('mailinator.com', 'Email descartável'),
+  ('guerrillamail.com', 'Email descartável'),
+  ('tempmail.com', 'Email descartável'),
+  ('throwam.com', 'Email descartável'),
+  ('yopmail.com', 'Email descartável');
+-- grants
+grant usage on schema public to supabase_auth_admin;
+grant execute on function public.before_user_created_hook to supabase_auth_admin;
+revoke execute on function public.before_user_created_hook from authenticated, anon, public;
+grant select on table public.blocked_email_domains to supabase_auth_admin;
+```
+**Bloquear por provider — rejeitar signup via email (apenas SSO permitido):**
+```sql
+-- em aplicação B2B que só aceita login via SSO corporativo
+create or replace function public.before_user_created_hook(event jsonb)
+returns jsonb
+language plpgsql
+stable
+as $$
+  declare
+    identities jsonb;
+    tem_sso bool;
+  begin
+    identities := event->'user'->'identities';
+    -- checar se tem identidade SSO (provider começa com 'sso:')
+    select exists(
+      select 1 from jsonb_array_elements(identities) as i
+      where (i->>'provider') like 'sso:%'
+    ) into tem_sso;
+    if not tem_sso then
+      return jsonb_build_object(
+        'error', jsonb_build_object(
+          'http_code', 403,
+          'message', 'Apenas login via SSO corporativo é permitido.'
+        )
+      );
+    end if;
+    return event;
+  end;
+$$;
+```
+## Hook 3 — Send SMS
+Substitui o envio de SMS do Supabase por provider customizado (Twilio, AWS SNS, Vonage).
+**Input:**
+```json
+{
+  "user": { "id": "uuid", "phone": "+5511999999999" },
+  "sms": { "otp": "123456" }
+}
+```
+**Edge Function com Twilio:**
+```ts
+// supabase/functions/send-sms-hook/index.ts
+import { Webhook } from 'https://esm.sh/standardwebhooks@1.0.0'
+const secret = Deno.env.get('SEND_SMS_HOOK_SECRET')!
+const TWILIO_ACCOUNT_SID = Deno.env.get('TWILIO_ACCOUNT_SID')!
+const TWILIO_AUTH_TOKEN = Deno.env.get('TWILIO_AUTH_TOKEN')!
+const TWILIO_FROM = Deno.env.get('TWILIO_FROM_NUMBER')!
+Deno.serve(async (req) => {
+  const payload = await req.text()
+  const headers = Object.fromEntries(req.headers)
+  // verificar assinatura Standard Webhooks
+  const wh = new Webhook(secret)
+  let event: { user: { phone: string }; sms: { otp: string } }
+  try {
+    event = wh.verify(payload, headers) as typeof event
+  } catch {
+    return new Response(
+      JSON.stringify({ error: { http_code: 401, message: 'Assinatura inválida' } }),
+      { status: 401, headers: { 'Content-Type': 'application/json' } }
+    )
+  }
+  const { phone } = event.user
+  const { otp } = event.sms
+  // enviar via Twilio
+  const resp = await fetch(
+    `https://api.twilio.com/2010-04-01/Accounts/${TWILIO_ACCOUNT_SID}/Messages.json`,
+    {
+      method: 'POST',
+      headers: {
+        Authorization: `Basic ${btoa(`${TWILIO_ACCOUNT_SID}:${TWILIO_AUTH_TOKEN}`)}`,
+        'Content-Type': 'application/x-www-form-urlencoded',
+      },
+      body: new URLSearchParams({
+        To: phone,
+        From: TWILIO_FROM,
+        Body: `Seu código de verificação: ${otp}. Válido por 5 minutos.`,
+      }),
+    }
+  )
+  if (!resp.ok) {
+    const err = await resp.json()
+    console.error('Erro Twilio:', err)
+    // 503 → Supabase vai retentar
+    return new Response(
+      JSON.stringify({ error: { http_code: 503, message: 'Falha no envio de SMS' } }),
+      { status: 503, headers: { 'Content-Type': 'application/json', 'Retry-After': '30' } }
+    )
+  }
+  return new Response(JSON.stringify({}), {
+    headers: { 'Content-Type': 'application/json' },
+  })
+})
+```
+## Hook 4 — Send Email
+Substitui emails transacionais do Supabase por provider customizado (Resend, SendGrid, AWS SES).
+**Input (exemplo para magic link):**
+```json
+{
+  "user": { "id": "uuid", "email": "usuario@empresa.com" },
+  "email_data": {
+    "token": "token-opaque",
+    "token_hash": "hash-do-token",
+    "redirect_to": "https://app.com/auth/callback",
+    "email_action_type": "magic_link",
+    "site_url": "https://app.com",
+    "token_new": "",
+    "token_hash_new": ""
+  }
+}
+```
+**Tipos de `email_action_type`:** `signup`, `magic_link`, `recovery`, `invite`, `email_change_new`, `email_change_current`.
+**Edge Function com Resend:**
+```ts
+// supabase/functions/send-email-hook/index.ts
+import { Webhook } from 'https://esm.sh/standardwebhooks@1.0.0'
+const secret = Deno.env.get('SEND_EMAIL_HOOK_SECRET')!
+const RESEND_API_KEY = Deno.env.get('RESEND_API_KEY')!
+type EmailActionType = 'signup' | 'magic_link' | 'recovery' | 'invite' |
+  'email_change_new' | 'email_change_current'
+function montarConteudo(tipo: EmailActionType, emailData: any): { subject: string; html: string } {
+  const link = `${emailData.site_url}/auth/confirm?token_hash=${emailData.token_hash}&type=${tipo}&next=${emailData.redirect_to}`
+  switch (tipo) {
+    case 'magic_link':
+      return {
+        subject: 'Seu link de acesso',
+        html: `<p>Clique <a href="${link}">aqui</a> para acessar. Válido por 1 hora.</p>`,
+      }
+    case 'signup':
+      return {
+        subject: 'Confirme seu email',
+        html: `<p>Bem-vindo! <a href="${link}">Confirme seu email</a> para começar.</p>`,
+      }
+    case 'recovery':
+      return {
+        subject: 'Recuperação de senha',
+        html: `<p><a href="${link}">Redefina sua senha</a>. Válido por 1 hora.</p>`,
+      }
+    default:
+      return {
+        subject: 'Ação necessária',
+        html: `<p><a href="${link}">Clique aqui</a> para continuar.</p>`,
+      }
+  }
+}
+Deno.serve(async (req) => {
+  const payload = await req.text()
+  const headers = Object.fromEntries(req.headers)
+  const wh = new Webhook(secret)
+  let event: { user: { email: string }; email_data: any }
+  try {
+    event = wh.verify(payload, headers) as typeof event
+  } catch {
+    return new Response(
+      JSON.stringify({ error: { http_code: 401, message: 'Assinatura inválida' } }),
+      { status: 401, headers: { 'Content-Type': 'application/json' } }
+    )
+  }
+  const { email } = event.user
+  const { email_action_type, ...emailData } = event.email_data
+  const { subject, html } = montarConteudo(email_action_type, { email_action_type, ...emailData })
+  const resp = await fetch('https://api.resend.com/emails', {
+    method: 'POST',
+    headers: {
+      Authorization: `Bearer ${RESEND_API_KEY}`,
+      'Content-Type': 'application/json',
+    },
+    body: JSON.stringify({
+      from: 'no-reply@empresa.com',
+      to: [email],
+      subject,
+      html,
+    }),
+  })
+  if (!resp.ok) {
+    return new Response(
+      JSON.stringify({ error: { http_code: 503, message: 'Falha no envio de email' } }),
+      { status: 503, headers: { 'Content-Type': 'application/json', 'Retry-After': '60' } }
+    )
+  }
+  return new Response(JSON.stringify({}), {
+    headers: { 'Content-Type': 'application/json' },
+  })
+})
+```
+## Hook 5 — MFA Verification (Teams/Enterprise)
+Rate-limit customizado para tentativas de verificação MFA. Roda a cada `mfa.verify()`.
+**Input:**
+```json
+{
+  "factor_id": "uuid-do-fator",
+  "factor_type": "totp",
+  "user_id": "uuid-do-usuario",
+  "valid": true
+}
+```
+**Output:**
+```json
+{
+  "decision": "continue",
+  "message": ""
+}
+```
+```sql
+-- rate-limit: máximo 5 tentativas erradas em 15 minutos
+create table public.mfa_attempt_log (
+  user_id     uuid not null references auth.users(id) on delete cascade,
+  factor_id   uuid not null,
+  tentativa   timestamptz not null default now(),
+  sucesso     boolean not null
+);
+create index on public.mfa_attempt_log (user_id, tentativa);
+create or replace function public.mfa_verification_hook(event jsonb)
+returns jsonb
+language plpgsql
+as $$
+  declare
+    user_id_val   uuid;
+    factor_id_val uuid;
+    valida        bool;
+    tentativas_erradas int;
+  begin
+    user_id_val   := (event->>'user_id')::uuid;
+    factor_id_val := (event->>'factor_id')::uuid;
+    valida        := (event->>'valid')::boolean;
+    -- checar tentativas erradas nos últimos 15 minutos
+    select count(*) into tentativas_erradas
+    from public.mfa_attempt_log
+    where user_id = user_id_val
+      and factor_id = factor_id_val
+      and sucesso = false
+      and tentativa > now() - interval '15 minutes';
+    -- logar tentativa atual
+    insert into public.mfa_attempt_log (user_id, factor_id, sucesso)
+    values (user_id_val, factor_id_val, valida);
+    if tentativas_erradas >= 5 then
+      return jsonb_build_object(
+        'decision', 'reject',
+        'message', 'Muitas tentativas incorretas. Aguarde 15 minutos.'
+      );
+    end if;
+    return jsonb_build_object('decision', 'continue', 'message', '');
+  end;
+$$;
+grant usage on schema public to supabase_auth_admin;
+grant execute on function public.mfa_verification_hook to supabase_auth_admin;
+revoke execute on function public.mfa_verification_hook from authenticated, anon, public;
+grant all on table public.mfa_attempt_log to supabase_auth_admin;
+```
+## Hook 6 — Password Verification (Teams/Enterprise)
+Bloquear login após N tentativas erradas de senha.
+**Input:**
+```json
+{
+  "user_id": "uuid-do-usuario",
+  "valid": false
+}
+```
+```sql
+create or replace function public.password_verification_hook(event jsonb)
+returns jsonb
+language plpgsql
+as $$
+  declare
+    uid            uuid;
+    valida         bool;
+    erros_recentes int;
+  begin
+    uid    := (event->>'user_id')::uuid;
+    valida := (event->>'valid')::boolean;
+    -- logar tentativa
+    insert into public.login_attempt_log (user_id, sucesso)
+    values (uid, valida);
+    -- contar erros nos últimos 30 minutos (apenas se tentativa inválida)
+    if not valida then
+      select count(*) into erros_recentes
+      from public.login_attempt_log
+      where user_id = uid
+        and sucesso = false
+        and tentativa > now() - interval '30 minutes';
+      if erros_recentes >= 10 then
+        return jsonb_build_object(
+          'decision', 'reject',
+          'message', 'Conta temporariamente bloqueada. Tente novamente em 30 minutos.'
+        );
+      end if;
+    end if;
+    return jsonb_build_object('decision', 'continue', 'message', '');
+  end;
+$$;
+create table public.login_attempt_log (
+  id        bigint generated by default as identity primary key,
+  user_id   uuid not null references auth.users(id) on delete cascade,
+  sucesso   boolean not null,
+  tentativa timestamptz default now()
+);
+create index on public.login_attempt_log (user_id, tentativa);
+grant usage on schema public to supabase_auth_admin;
+grant execute on function public.password_verification_hook to supabase_auth_admin;
+revoke execute on function public.password_verification_hook from authenticated, anon, public;
+grant all on table public.login_attempt_log to supabase_auth_admin;
+```
+## Regras absolutas
+1. **SEMPRE `grant execute` ao `supabase_auth_admin`** — sem este grant, hook Postgres falha silenciosamente; JWT é emitido sem modificações.
+2. **SEMPRE `revoke execute` de `authenticated`, `anon`, `public`** — sem isso, qualquer cliente pode invocar a função diretamente.
+3. **Hooks HTTP devem verificar assinatura Standard Webhooks** — usar `standardwebhooks` com o secret configurado. Nunca processar payload sem verificação.
+4. **Evitar `security definer` desnecessariamente** — prefira grants explícitos; `security definer` amplia o acesso mais do que necessário.
+5. **TODAS as respostas precisam `Content-Type: application/json`** — Supabase Auth rejeita respostas sem este header.
+6. **Hook deve ser rápido (< 10ms idealmente)** — roda a cada login e refresh; query lenta degrada latência de auth de toda a aplicação.
+7. **Hooks MFA/Password Verification são Teams/Enterprise only** — verificar plano antes de implementar.
+## Anti-patterns
+### Anti-pattern 1: Esquecer grants ao supabase_auth_admin
+**Errado:**
+```sql
+create or replace function public.custom_access_token_hook(event jsonb)
+returns jsonb language plpgsql stable as $$
+  -- implementação aqui
+$$;
+-- sem GRANT EXECUTE TO supabase_auth_admin
+-- sem REVOKE de anon/authenticated
+```
+**Por quê:** Auth hook falha silenciosamente. O JWT é gerado **sem** as modificações do hook — claims customizados não aparecem. Difícil de debugar pois não há erro explícito.
+**Certo:**
+```sql
+-- SEMPRE após criar a função
+grant usage on schema public to supabase_auth_admin;
+grant execute on function public.custom_access_token_hook to supabase_auth_admin;
+revoke execute on function public.custom_access_token_hook from authenticated, anon, public;
+```
+### Anti-pattern 2: Não verificar assinatura do webhook HTTP
+**Errado:**
+```ts
+Deno.serve(async (req) => {
+  const event = await req.json()  // ERRADO: aceitar sem verificar assinatura
+  // processar event...
+})
+```
+**Por quê:** qualquer requisição HTTP pode acionar o hook — atacante pode forjar eventos de auth e manipular JWTs, criar usuários, etc.
+**Certo:** sempre verificar com `standardwebhooks`:
+```ts
+const wh = new Webhook(secret)
+const event = wh.verify(payload, headers)  // lança erro se inválido
+```
+### Anti-pattern 3: Hook com query custosa (JOINs, N+1)
+**Errado:**
+```sql
+create or replace function public.custom_access_token_hook(event jsonb)
+returns jsonb language plpgsql stable as $$
+  declare claims jsonb;
+  begin
+    claims := event->'claims';
+    -- query com múltiplos JOINs — roda em CADA login e refresh
+    select jsonb_build_object(
+      'org_name', o.name,
+      'plan', s.plan,
+      'feature_flags', ff.flags
+    ) into ...
+    from auth.users u
+      join public.organizations o on u.raw_user_meta_data->>'org_id' = o.id::text
+      join public.subscriptions s on o.id = s.org_id
+      join public.feature_flags ff on s.plan = ff.plan
+    where u.id = (event->>'user_id')::uuid;
+    -- ...
+  end;
+$$;
+```
+**Por quê:** hook roda em cada login E cada refresh de JWT. Query com JOINs pode adicionar 50-200ms em cada operação de auth — inaceitável em produção.
+**Certo:** denormalizar dados na tabela de roles/perfis; hook faz query simples em única tabela:
+```sql
+-- tabela denormalizada: user_profile com tudo necessário
+select org_name, plan, feature_flags
+into user_data
+from public.user_profiles
+where user_id = (event->>'user_id')::uuid;
+```
+### Anti-pattern 4: Usar `security definer` desnecessariamente
+**Errado:**
+```sql
+create or replace function public.before_user_created_hook(event jsonb)
+returns jsonb
+language plpgsql
+security definer   -- DESNECESSÁRIO se grants explícitos suficientes
+as $$
+  -- ...
+$$;
+```
+**Por quê:** `security definer` faz a função rodar com privilégios do owner (`postgres`) — acesso irrestrito a todos os schemas e tabelas. Risco de path injection e acesso não intencional.
+**Certo:** grants explícitos ao `supabase_auth_admin` para tabelas específicas + sem `security definer`:
+```sql
+grant select on table public.blocked_email_domains to supabase_auth_admin;
+-- sem security definer na função
+```
+## Ver também
+- [supabase-custom-claims-rbac](../supabase-custom-claims-rbac/SKILL.md) — `custom_access_token_hook` completo com RBAC
+- [supabase-edge-functions-auth](../supabase-edge-functions-auth/SKILL.md) — autenticação e segurança em Edge Functions
+- [supabase-mfa](../supabase-mfa/SKILL.md) — MFA TOTP e Phone; MFA Verification Hook para rate-limit
+- [supabase-rls-policies](../supabase-rls-policies/SKILL.md) — políticas RLS que consomem claims do `custom_access_token_hook`
+- [supabase-auth-hook-writer](../../agents/supabase-auth-hook-writer.md) — agente que escreve Auth Hooks com grants corretos e testes